GoodOlClint/pisetup.sh

## pisetup.sh
#!/bin/bash

username=goodolclint
publickey=ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAnMfLbajwTboPlqFJyajrl9h+V++Nua0BibBiYkNckYbzQrl512pzYsqjp+Iti09FaJMo7ezbDjTa9PNv/H9oodiat8DZah+1EoRF4uoEATeWouU9ruhGHGLEe3CA9+48nqnfMRnWHrXymlpNEZCY6CuN+fQWZd7dFJ3fystOZ26R2t3ijWBitzsVntCPSYTLgbtqozbZk6efJwzwua+i8E9GbHOQ39jM1F6byoO9CFqaw6OwkSzvo03BNTLYofsw/cwb9MovjvDJz4x2/0DA0pz5zREhTbnhXpxxJAOfO8/IHiiLCF2zChBXUIamcpdCcnlo+WZYHBrUSIx1Fnr00Q== rsa-key-20161130

### DO NOT EDIT BELOW THIS LINE ###

if (( $EUID != 0 )); then
    echo 'This script must be run as root'
    exit
fi

echo 'Creating user "$username"'
useradd --create-home $username

echo 'Allowing user "$username" to SSH without a password'
pushd /home/$username>/dev/null
mkdir .ssh
chmod 0700 .ssh
chown $username:$username .ssh

echo 'Downloading public key for "$username"'
echo $publickey >.ssh/authorized_keys
chmod 0600 .ssh/authorized_keys
chown $username:$username .ssh/authorized_keys
popd >/dev/null

echo 'Allowing using "$username" to sudo without a password'
echo '# allows user $username'> /tmp/099-$username
echo '# to sudo without a password' >> /tmp/099-$username
echo '$username  ALL=(ALL:ALL) NOPASSWD: ALL' >> /tmp/099-$username
cp /tmp/099-$username /etc/sudoers.d

echo 'Setting default shell to bash'
chsh -s /bin/bash $username

echo 'Upgrading to latest Rasbian distro'
apt-get update
apt-get dist-upgrade -y
apt-get autoremove -y

echo 'Setting Cron job to automatically install security updates nightly'
crontab -l > /tmp/mycron
echo '0 01 * * * apt-get update' >> /tmp/mycron
crontab /tmp/mycron

echo 'Disable password authentication in ssh'
cp /etc/ssh/sshd_config /tmp

#Comment out default settings
sed -i '/PubkeyAuthentication/s/^/#/g' /tmp/sshd_config
sed -i '/ChallengeResponseAuthentication/s/^/#/g' /tmp/sshd_config
sed -i '/PasswordAuthentication/s/^/#/g' /tmp/sshd_config
sed -i '/UsePAM/s/^/#/g' /tmp/sshd_config

#Add new settings to end of file
echo ''>>/tmp/sshd_config
echo '#Disable password authentication'>>/tmp/sshd_config
echo 'ChallengeResponseAuthentication no'>> /tmp/sshd_config
echo 'PasswordAuthentication no'>> /tmp/sshd_config

echo ''>>/tmp/sshd_config
echo '#Allow public key'>>/tmp/sshd_config
echo 'UsePAM yes'>> /tmp/sshd_config
echo 'PubkeyAuthentication yes'>> /tmp/sshd_config

cp /tmp/sshd_config /etc/ssh/

#echo TODO: Finish iptables
echo 'Creating IPTable Rules'
iptables --flush
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

echo 'Allow all incoming SSH connections'
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

echo 'Allow incoming ICMP echo (ping)'
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

echo 'Allow loopback (127.0.0.1)'
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo 'Allow all outbound traffic'
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo 'Creating IPTable v6 Rules'
ip6tables --flush
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

echo 'Allow all incoming SSH connections'
ip6tables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

echo 'Allow incoming ICMP echo (ping)'
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

echo 'Allow loopback (::1)'
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

echo 'Allow all outbound traffic'
ip6tables -I OUTPUT -o eth0 -d ::/0 -j ACCEPT
ip6tables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

apt-get -qq -y install iptables-persistent

echo 'Disabling Wifi and Bluetooth'
echo '#WiFi' > /tmp/modprob.conf
echo 'blacklist brcmfmac' >> /tmp/modprob.conf
echo 'blacklist brcmutil' >> /tmp/modprob.conf
echo '#Bluetooth' >> /tmp/modprob.conf
echo 'blacklist btbcm' >> /tmp/modprob.conf
echo 'blacklist hci_uart' >> /tmp/modprob.conf
cp /tmp/modprob.conf /etc/modprobe.d/blacklist.conf

echo 'Set timezone to CST'
echo "America/Chicago" > /etc/timezone
dpkg-reconfigure -f noninteractive tzdata

#echo 'Setting locale to en_us'
#sed -i '/en_GB.UTF-8 UTF-8/s/^/# /g' /etc/locale.gen
#/usr/sbin/locale-gen
#DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
#dpkg-reconfigure keyboard-configuration

echo 'Expanding storage'
raspi-config --expand-rootfs

echo 'Randomizing password for user "pi"'
pipw=$(cat /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' | head -c 32)
echo pi:$pipw | chpasswd

echo 'Disabling user "pi"'
usermod -s /bin/nologin pi

echo 'Rebooting'
reboot
	#!/bin/bash

	username=goodolclint
	publickey=ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAnMfLbajwTboPlqFJyajrl9h+V++Nua0BibBiYkNckYbzQrl512pzYsqjp+Iti09FaJMo7ezbDjTa9PNv/H9oodiat8DZah+1EoRF4uoEATeWouU9ruhGHGLEe3CA9+48nqnfMRnWHrXymlpNEZCY6CuN+fQWZd7dFJ3fystOZ26R2t3ijWBitzsVntCPSYTLgbtqozbZk6efJwzwua+i8E9GbHOQ39jM1F6byoO9CFqaw6OwkSzvo03BNTLYofsw/cwb9MovjvDJz4x2/0DA0pz5zREhTbnhXpxxJAOfO8/IHiiLCF2zChBXUIamcpdCcnlo+WZYHBrUSIx1Fnr00Q== rsa-key-20161130

	### DO NOT EDIT BELOW THIS LINE ###

	if (( $EUID != 0 )); then
	echo 'This script must be run as root'
	exit
	fi

	echo 'Creating user "$username"'
	useradd --create-home $username

	echo 'Allowing user "$username" to SSH without a password'
	pushd /home/$username>/dev/null
	mkdir .ssh
	chmod 0700 .ssh
	chown $username:$username .ssh

	echo 'Downloading public key for "$username"'
	echo $publickey >.ssh/authorized_keys
	chmod 0600 .ssh/authorized_keys
	chown $username:$username .ssh/authorized_keys
	popd >/dev/null

	echo 'Allowing using "$username" to sudo without a password'
	echo '# allows user $username'> /tmp/099-$username
	echo '# to sudo without a password' >> /tmp/099-$username
	echo '$username ALL=(ALL:ALL) NOPASSWD: ALL' >> /tmp/099-$username
	cp /tmp/099-$username /etc/sudoers.d

	echo 'Setting default shell to bash'
	chsh -s /bin/bash $username

	echo 'Upgrading to latest Rasbian distro'
	apt-get update
	apt-get dist-upgrade -y
	apt-get autoremove -y

	echo 'Setting Cron job to automatically install security updates nightly'
	crontab -l > /tmp/mycron
	echo '0 01 * * * apt-get update' >> /tmp/mycron
	crontab /tmp/mycron

	echo 'Disable password authentication in ssh'
	cp /etc/ssh/sshd_config /tmp

	#Comment out default settings
	sed -i '/PubkeyAuthentication/s/^/#/g' /tmp/sshd_config
	sed -i '/ChallengeResponseAuthentication/s/^/#/g' /tmp/sshd_config
	sed -i '/PasswordAuthentication/s/^/#/g' /tmp/sshd_config
	sed -i '/UsePAM/s/^/#/g' /tmp/sshd_config

	#Add new settings to end of file
	echo ''>>/tmp/sshd_config
	echo '#Disable password authentication'>>/tmp/sshd_config
	echo 'ChallengeResponseAuthentication no'>> /tmp/sshd_config
	echo 'PasswordAuthentication no'>> /tmp/sshd_config

	echo ''>>/tmp/sshd_config
	echo '#Allow public key'>>/tmp/sshd_config
	echo 'UsePAM yes'>> /tmp/sshd_config
	echo 'PubkeyAuthentication yes'>> /tmp/sshd_config

	cp /tmp/sshd_config /etc/ssh/

	#echo TODO: Finish iptables
	echo 'Creating IPTable Rules'
	iptables --flush
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT DROP

	echo 'Allow all incoming SSH connections'
	iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

	echo 'Allow incoming ICMP echo (ping)'
	iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
	iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

	echo 'Allow loopback (127.0.0.1)'
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	echo 'Allow all outbound traffic'
	iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
	iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	echo 'Creating IPTable v6 Rules'
	ip6tables --flush
	ip6tables -P INPUT DROP
	ip6tables -P FORWARD DROP
	ip6tables -P OUTPUT DROP

	echo 'Allow all incoming SSH connections'
	ip6tables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

	echo 'Allow incoming ICMP echo (ping)'
	ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

	echo 'Allow loopback (::1)'
	ip6tables -A INPUT -i lo -j ACCEPT
	ip6tables -A OUTPUT -o lo -j ACCEPT

	echo 'Allow all outbound traffic'
	ip6tables -I OUTPUT -o eth0 -d ::/0 -j ACCEPT
	ip6tables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	apt-get -qq -y install iptables-persistent

	echo 'Disabling Wifi and Bluetooth'
	echo '#WiFi' > /tmp/modprob.conf
	echo 'blacklist brcmfmac' >> /tmp/modprob.conf
	echo 'blacklist brcmutil' >> /tmp/modprob.conf
	echo '#Bluetooth' >> /tmp/modprob.conf
	echo 'blacklist btbcm' >> /tmp/modprob.conf
	echo 'blacklist hci_uart' >> /tmp/modprob.conf
	cp /tmp/modprob.conf /etc/modprobe.d/blacklist.conf

	echo 'Set timezone to CST'
	echo "America/Chicago" > /etc/timezone
	dpkg-reconfigure -f noninteractive tzdata

	#echo 'Setting locale to en_us'
	#sed -i '/en_GB.UTF-8 UTF-8/s/^/# /g' /etc/locale.gen
	#/usr/sbin/locale-gen
	#DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
	#dpkg-reconfigure keyboard-configuration

	echo 'Expanding storage'
	raspi-config --expand-rootfs

	echo 'Randomizing password for user "pi"'
	pipw=$(cat /dev/urandom \| tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{\|}~' \| head -c 32)
	echo pi:$pipw \| chpasswd

	echo 'Disabling user "pi"'
	usermod -s /bin/nologin pi

	echo 'Rebooting'
	reboot